feat: give flexibility on endpoint configuration in cbr service module (#265)

Co-authored-by: Akash Kumar <[email protected]>

Author: Aayush-Abhyarthi

cbr-service-profile/main.tf

@@ -36,21 +36,23 @@ locals {
     ]
   }] : []
 
-  service_ref_zone_list = (length(var.zone_service_ref_list) > 0) ? [{
-    name             = "${var.prefix}-cbr-serviceref-zone"
-    account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-    zone_description = "cbr-serviceref-zone-terraform"
-    # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
-    addresses = [
-      for serviceref in var.zone_service_ref_list : {
-        type = "serviceRef"
-        ref = {
-          account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
-          service_name = serviceref
+  service_ref_zone_list = (length(var.zone_service_ref_list) > 0) ? [
+    for serviceref in var.zone_service_ref_list : {
+      name             = "${var.prefix}-${serviceref}-cbr-serviceref-zone"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      zone_description = "${serviceref}-cbr-serviceref-zone-terraform"
+      # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
+      addresses = [
+        {
+          type = "serviceRef"
+          ref = {
+            account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
+            service_name = serviceref
+          }
         }
-      }
-    ]
+      ]
   }] : []
+
   zone_list = concat(tolist(local.vpc_zone_list), tolist(local.service_ref_zone_list))
 }
 
@@ -68,7 +70,7 @@ locals {
     attributes = [
       {
         "name" : "endpointType",
-        "value" : "private"
+        "value" : join(",", ([for endpoint in var.endpoints : endpoint]))
       },
       {
         name  = "networkZoneId"

cbr-service-profile/variables.tf

@@ -60,3 +60,15 @@ variable "target_service_details" {
     error_message = "Provide a valid target service name that is supported by context-based restrictions"
   }
 }
+
+variable "endpoints" {
+  type        = list(string)
+  description = "List specific endpoint types for target services, valid values for endpoints are 'public', 'private' or 'direct'"
+  default     = ["private"]
+  validation {
+    condition = alltrue([
+      for endpoint in var.endpoints : can(regex("^(public|private|direct)$", endpoint))
+    ])
+    error_message = "Valid values for endpoints are 'public', 'private' or 'direct'"
+  }
+}

examples/multi-service-profile/main.tf

@@ -51,7 +51,7 @@ locals {
   # Merge zone ids to pass as contexts to the rule
   target_services_details = [
     {
-      target_service_name = "kms",
+      target_service_name = "secrets-manager",
       target_rg           = module.resource_group.resource_group_id
       enforcement_mode    = local.enforcement_mode
     }
@@ -63,4 +63,5 @@ module "cbr_rule_multi_service_profile" {
   zone_service_ref_list  = var.zone_service_ref_list
   zone_vpc_crn_list      = local.zone_vpc_crn_list
   target_service_details = local.target_services_details
+  endpoints              = var.endpoints
 }

examples/multi-service-profile/variables.tf

@@ -33,3 +33,15 @@ variable "zone_service_ref_list" {
   default     = ["cloud-object-storage", "containers-kubernetes", "server-protect"]
   description = "(List) Service reference for the zone creation"
 }
+
+variable "endpoints" {
+  type        = list(string)
+  description = "List specific endpoint types for target services, valid values for endpoints are 'public', 'private' or 'direct'"
+  default     = ["private"]
+  validation {
+    condition = alltrue([
+      for endpoint in var.endpoints : can(regex("^(public|private|direct)$", endpoint))
+    ])
+    error_message = "Valid values for endpoints are 'public', 'private' or 'direct'"
+  }
+}